Do you work in an office where a team shares one access credential to a reference system? Or maybe at home, you let Grandma borrow your Netflix login? These are pretty common situations across the business landscape today and 1Password has implemented a feature to help secure these types of password sharing scenarios. The Password Secure Sharing Tool, or Psst!, endeavors to provide you with a secure method to share passwords with your colleague or grandma. Also, grandma doesn’t need an account for this exchange to work. You can send the password securely to anyone. This sounds nice on the surface, but how secure is it really?
Psst! uses a secure link rather than simply typing your password out in a text message or chat application. The link permissions can be customized to expire after a specified time period or a certain number of clicks, in line with methods used already by many familiar platforms such as Slack, Discord, the Google Drive product suite, and many more. Also familiar, you can set links to work only for specific people who must verify an email address to access, or simply to “anyone with this link can view.”
1Password is an industry leader in the cyber security space with notable global scale clients such as IBM. Their website describes them as a secure enterprise password manager with more than 100,000 business clients worldwide. This lends some credibility to the idea this should be pretty secure. I reached out to Duffy P. Weber, of Weber Consulting Ltd. in Cinncinatti and cybersecurity professional of over 20 years for a professional perspective and was provided the following comments:
One of the first things that I think is an essential question, in regards to systems like this, is “where are the stored passwords actually kept,” and “what is the implementation?”
Something like this can be an ideal solution to keep relatives from running around with your streaming services logins. However, In a business or corporate environment, things get a lot trickier. For some businesses, HIPAA and federal financial regulations stringently dictate the keeping and handling of passwords, and using services like these could actually violate Federal privacy laws, in certain cases. That has to be evaluated for such organizations, but in other corporate or domestic use cases, there is still the question of security. […] If someone manages to access this type of service’s servers, they have an entire clearinghouse of user login data at their fingertips. While again, that’s dependent on how their systems are structured, It’s not unheard of for this to happen.
Systems such as Google Chrome keep stored passwords in a file on your local machine while other services keep login information indexed in a could location. With this insight, it is apparent the most pressing question is “Where are you keeping my password information?” After reviewing the information available on their website, I don’t have an answer to that question. It is logical to conclude they may not make that information publicly available for security reasons.
Takeaway advice? If a product such as this one or similar is on your radar, make sure it meets your security thresholds and is compliant with your industry security regulations.